Process 401/403 differently according to URLs

**DanielYWoo** · Feb 5th, 2009, 07:54 PM

I have three types of URLs to be protected:
UI - /ui/**
RESTful Web Service - /ws/rest/**
SOAP Web Service - /ws/soap/**

For UI URLs, if a user is not authenticated, I want it to be redirected to login page automatically, if the URL is not authorized to access, it should show a friendly page instead of the default 403 error page.
It's quite simple, just specify a "login-page" and "access-denied-page" as below:

Code:

<security:http auto-config='true' access-denied-page="/ui/accessDenied.jsp">
		<security:intercept-url pattern="/ui/test.jsp" access="ROLE_ROLE" />
		<security:intercept-url pattern="/ws/rest/*" access="ROLE_ADMIN" />
		<security:intercept-url pattern="/ws/soap/*" access="ROLE_ADMIN" />

		<security:form-login login-page="/ui/login.jsp"
			authentication-failure-url="/ui/login.jsp?login_error=1"  
			default-target-url="/ui/prod/products.jsp" 
			always-use-default-target="false"/>
		<security:remember-me key="changeit"/>
	</security:http>

Now, the problem is that for the RESTful and SOAP web service, it behaves differently. For an unauthenticated user, a 401 error page should be returned to the client instead of redirecting to a login page, for unauthorized URLs 403 error code should be returned instead of a user friendly "access-denied-page". How can I do that?

I am using Spring Security 2.0 with name space configuration.

**DanielYWoo** · Feb 5th, 2009, 07:59 PM

I want to inject my own authenticationEntryPoint (redirect to login page for UI URL, send error 401 for web service URL) and accessDeniedHandler(redirect to 'access-denied-page' for UI URL, send error 403 for web service URL) into
exceptionTranslationFilter to do that, but it seems that I cannot do it using name space configuration.

**DanielYWoo** · Feb 5th, 2009, 08:25 PM

I solved half of this issue.
I think for 401 unauthorized URLs, I can replace the "authenticationEntryPoint" in ExceptionTranslationFilter with name space configuration this way:

Code:

<security:http auto-config='true' 
		entry-point-ref="authenticationEntryPoint">

<bean id="authenticationEntryPoint" class="my own entry point"/>

But for 403, I need to replace "accessDeniedHandler", however the name space configuration does not allow replacing it, how can I replace the accessDeniedHandler?

**Luke Taylor** · Feb 5th, 2009, 08:26 PM

Use the "entry-point-ref" attribute.

http://static.springframework.org/sp...ntry-point-ref

**DanielYWoo** · Feb 5th, 2009, 08:31 PM

Thanks for you reply, I also found this in Spring doc, but for 403, it seems that we can only specify a page, it's not allowed to replace the accessDeniedhandler

see http://jira.springframework.org/browse/SEC-746

My workaround is specify the access-denied-page to a servlet or struts action which will handle the complexity (redirect to a jsp for UI access, send error code 403 for web service)

Anyway it would be great if <security:http> can have a new attribute "access-denied-handler-ref" :-)

**DanielYWoo** · Feb 6th, 2009, 02:28 AM

I submitted an CR for you, pls evaluate it :-)
http://jira.springframework.org/browse/SEC-1100

Thread: Process 401/403 differently according to URLs

Thread Tools

Display

Process 401/403 differently according to URLs

Posting Permissions